- Phishing emails disguised as “coronavirus updates” are being used to lure victims into downloading malicious attachments
A phishing campaign targeting Japan is sending emails that include preventative measures and updates of the coronavirus infection. To scare the potential victims into opening malicious attachments, the spam emails — camouflaged as official notifications from government bodies like disability welfare service provider and public health centers — promise to provide more details on preventative measures against coronavirus infections within the attachments.
Once a victim downloads the Word Document attachment, they are prompted to “Enable Content” to properly view the full documents. Once macros are enables, the Emotet payload will be installed on the victim’s device using a PowerShell command.
The infected computer will then be used to deliver malicious spam messages to the victim’s existing contact list and to drop other malware strains onto the device such as the Trickbot info stealer Trojan known for also delivering ransomware.
This secondary payload will allow the attackers to harvest user credentials, browser history, and sensitive documents that will be packed and sent to attacker-controlled storage servers.
The phishing campaign is using stolen emails from previously compromised accounts as a template to attempt and infect recipients with Emotet. Hackers have started to use trendy topics as tools of catching people off guard, such as Christmas gift cards during holiday season and most recently the coronavirus scare. Be sure to always download attachments that come from trusted sources.
CyberQuay’s CDR Solution Would Detect This Threat
CyberQuay’s CDR solution would detect and disarm the malicious file before it is downloaded into the victim’s computer. This means that the Microsoft Word document, which contains the malicious payload, would be scanned and the malicious script would be disarmed. Click here to learn more about our solution and stay protected from all incoming file threats.